Many of presently existing mobile networks, as well as possible future networks being defined by standardization bodies, require end-users and user-agents to authenticate themselves when accessing a network and, rather, when accessing services associated to the network. In this respect, GSM, GPRS, Wireless Local Area Network (WLAN) and Multimedia (IMS) domains, as defined by 3GPP and 3GPP2 standards, they all require user's equipment or terminals arranged to run an authentication procedure specific for each particular technological domain before granting users or user-agents the access to said domains. In particular, the technological domains cited above, as well as other emerging technological domains, require different security levels that complicate more the access throughout different technological domains. This access throughout implies extra security that is not always needed and, as a consequence, extra processing and signalling capabilities as well as extra complexity in the user's equipment or terminals.
Currently, the authentication procedure in a 3GPP Multimedia domain is carried out as described in 3G TS 33.203 standard and depicted in FIG. 1 in terms of a Session Initiation Protocol (SIP) based signalling flow. As FIG. 1 illustrates and the referred technical specifications describe, Multimedia authentication shall be carried out always when a user is registering in the Multimedia domain, what is typically started by sending a SIP Register message for a given private and public identity.
An initial condition assumed before starting the flow cited above is that an end-user must have a data connection open before accessing the Multimedia domain. This connection may be either a GPRS connection in terms of having a PDP context activated, or a WLAN connection in terms of having established a data connection as specified by the IEEE 802.11 standards, or another Access network providing the user side with a data connection. In this scenario, an end-user or a user-agent have been already authenticated by the access network, whether GPRS or WLAN or another, in order to establish such data connection and before sending a SIP Register to the Multimedia domain.
In particular, both currently used access networks, namely GPRS and WLAN, are offering respective authentication mechanism, SIM/USIM-AKA for GPRS and EAP-SIM/AKA for WLAN, whereas the Multimedia domain currently makes use of an authentication mechanism offering a similar level of security as the above access networks, the so-called USIM-AKA, which is carried out when the SIP Register message reaches a Serving Call Status Control Function (S-CSCF) entity as shown in FIG. 1. In this respect, FIG. 2 illustrates the sequence of actions followed to carry out an EAP AKA authentication for a user having accessed a WLAN network wherein RADIUS and MAP seems to be the most probable protocol alternatives though DIAMETER could also be used instead of RADIUS or MAP.
At present, a user wanting to get access to the Multimedia domain requires a previous establishment of a data connection, what is frequently carried out through an access network such as GPRS or WLAN and, consequently, the user has been authenticated firstly with an EAP-SIM/AKA for a WLAN access network, and further the user should be authenticated secondly with a USIM-AKA when registering into the Multimedia domain.
One may conclude that at present there is no authentication mechanism carrying out a cross-domain authentication for a given user between an access network such as GPRS or WLAN and a SIP-based Multimedia domain. In other words, there is no existing service or device that is able to administer authentication data on behalf of a user or a SIP user-agent and relieve said user or SIP user-agent from having to perform authentication operations in the Multimedia domain once an authentication has already taken place in the access network where the user is accessing through, said access network being likely GPRS or WLAN.
In this situation, the authentication for Multimedia domain as described in 3G TS 33.203 and illustrated in FIG. 1 adds extra signalling in the radio path that, under some scenarios, might be unnecessary. Firstly, after a SIP Register is received by the S-SCSF, the S-SCSF typically sends an Authentication Challenge message to the SIP user-agent. If this operation is successful, then the S-CSCF will periodically send an Authentication-Vector-request to the SIP user-agent that in turn must respond with an Authentication-Vector-response. Both of these messages add extra load on the multimedia domain as well as longer registration times. That is, SIP user-agents should process and respond to both the Authentication-Challenge and Authentication-Vector-request. These messages require extra processing by the SIP user-agent which means that the SIP user-agent has to make use of power for this process rather than using as much power as possible for Multimedia services that are likely of a high-power consumption nature, and bearing in mind the limited power of batteries.
Thereby, the present invention is aimed to provide an inter-domain authentication mechanism carrying out a cross-domain authentication for a given user between an access network domain and a Multimedia domain, this inter-domain authentication mechanism being simpler than the currently existing one, and applicable where a user authentication has been carried out by the access network.